Sign into Dokuwiki with Google

Dokuwiki(https://www.dokuwiki.org/dokuwiki) is a nice and helpful gift by the opensource community. Being a favor of administrators for ease maintenance and integration options, it caters the needs of a content management system or as a corporate or a personal note keeper. In this post I am sharing an approach we followed to keep this simplicity as it is, while making it available for an existing Google user-base via Single Sign On capabilities.
We made use of the extend-ability of Dokuwiki via plugins and OAuth 2.0 protocol based integration provided by Google for this purpose. Let's look at the flow and then how this was configured.
 

Flow

As in the diagram, when the user comes to the Dokuwiki login page, we want to show them the option of login via Google. With this feature available, if they are already logged into Google, they will be automatically logged into Dokuwiki with Single Sign On in action. If not, they will go through the Google login procedure at Google site, as usual (with Multi-factor Authentication(MFA) if they have enabled.). Once Google authentication is complete, they redirect back the user to Dokuwiki with a response for the Dokuwiki, which brings in the user details, including username and email address. When this information is in hand, then we can decide either to let them be authorized to use the site validating whether their email domain is allowed etc. and then even provision the user in our system as well (Of course based on the user jurisdiction we may have privacy concerns to honor.).
Then if the user access any Google services afterwards such as Gmail or Youtube user will be automatically logged into them as Google has already authenticated the user and the applications are configured by them for SSO.
 
As you can see there are lot of advantages here.
- Convenience to the user, without any compromise on security.
- Whole Google user base can easily become a user of our application. (plus point for user on-boarding. Hassle free user registration and login).
- Zero effort to provide multi factor authentication for the users as Google is already providing it.
- Burden of maintaining user bases is totally out. Otherwise we have to worry on all the security aspects of storing user passwords securely.

Configuration

Then comes the question, how to achieve this, which has so many benefits. Frankly, the steps are very simple, only we should have a good understanding on what we are doing and familiarity how the OAuth 2.0 protocol works. I will share below the configurations we did.

1. Install OAuth 2.0 plugin in Dokuwiki
You can get all the details related to this plugin at https://www.dokuwiki.org/plugin:oauth. It has been well-maintained and does the work as it declares. Once the plugin is installed via Dokuwiki configuration manager, it asks you to fill in some details under 'OAuth 2.0', including ClientID and Client Secret. To get those we have to visit Google as explained below. :)

2. Register Dokuwiki as an Application in GSuite of Google
For this, we need to visit https://console.cloud.google.com/apis/credentials. In the screen create a project, which might take a while and then allow to create credentials as seen below.
 
Select the OAuth Client ID option as seen below and proceed.
It will ask you to configure the consent screen as well. Provide details as appropriate for your application at this step.

At the end of this setup, it will request for a redirect URL for the application. For Dokuwiki use it as 'https://<host>/doku.php', replacing 'host' with your actual hosted domain of Dokuwiki.

At this moment, we are all good at Google side. Keep note of the ClientID and Client Secret values now generate in Google and use them fill the previously noted configuration in Dokuwiki OAuth2.0 plugin configurations.

Time to see how it goes. Now when you go the Dokuwiki login page, nice and neat G+ icon will be shining there as a login option. Clicking on it take us to Google login, then go through the consent screen we configured previously and get redirected back to Dokuwiki. 
Cheers and we are logged in!

(Hope this help you to configure the experience. If you need any assistance with similar projects reach me out.)

Comments

Post a Comment

Popular posts from this blog

Single Sign On Integrations - Intro

Image
Single Sign on(SSO) is everywhere and provides lot of convenience to users. Let me give you few more examples. Have you noticed that when we are logged into our Gmail account and go to Youtube within the same browser, we are automatically logged into Youtube without any further requests for user credentials or authentication.  In today's cooperate world with COVID-19 impact, employees and partners heavily use cooperate applications such as Zoom, Salesforce, Jira in working from home efforts. Authenticating once and letting them securely use all these cooperate applications in another productive use of Single Sign On. In the Education sector also, COVID-19 impact has made the students and teachers to heavily depend on online tools. At such occasion also Single Sign On integration among these educational applications such as Moodle, Office365, Yammer etc, provide lot of convenience. User convenience is not the only benefit of Single Sign on though. It provides a lot more convenience
Read more

Shibboleth based SSO for SAP

Image
  This was a very interesting project I did with a customer from Israel. They had already selected Shibboleth as the IDP for the solution, where they wanted to login to SAP Hana Cockpit and provide Single Sign-On with variety of other web applications they have. Main reason behind selection of Shibboleth has been free use being a free and open source software. I did setup an OpenLDAP instance for the user base with an structure selected based on the hierarchy they wanted and integrated it with Shibboleth first. SAP Hana Cockpit platform was new to me, but they had good documentation and with little effort could figure out on SAML based authentication they supported. Then we did the integration with Shibboleth which made the scenario complete as follows. User comes to login to SAP Hana Cockpit platform via it’s link. User is redirected to Shibboleth and provided it’s login screen. (We branded it.) User enters credentials which were validated against the OpenLDAP . (We are to have SMS b
Read more